Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider.

The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this variant the malware’s authors include a picture of a cat:

The ransomware constantly requests commands from the control server via HTTP, and the malicious server responds with the attackers’ instructions defined in the control panel. All of this traffic is transmitted without encryption.

The commands that this threat can receive and perform are described in the following table:

Some interesting features of this ransomware include the ability to encrypt specific files, steal SMS messages while forwarding them to the attacker and avoiding the victim’s message visualization, lock access to the device and the encryption using an AES algorithm with a hardcoded password. Unlike asymmetric encryption, using a hardcoded password makes decryption trivial. Moreover, the application code contains a method to decrypt the affected files; thus this ransomware app can be forced to decrypt files if one invokes the appropriate method.

McAfee Labs has informed the owners of the abused servers and has requested they take down the malicious service.

This ransomware variant looks like a demo version used to commercialize malware kits for cybercriminals because the control server interface is not protected and includes in the code words such as MyDificultPassw.

These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanized apps, social media networks, or other social engineering techniques.

McAfee Mobile Security detects this Android threat as Android/Ransom.ElGato and alerts mobile users if the malware is present, while protecting them from any data loss. Follow this link for more information about McAfee Mobile Security.